(Article drafted by Anastasios Koletsas, Associate and Marily Garyfallou, Senior Associate for Lexology on April 16, 2026)
Introduction
The integration of digital technologies into the workplace has substantially altered the boundaries between employees’ professional activities and their private lives. In this context, an employer’s ability to monitor the use of a work computer raises critical issues of lawfulness from the perspective of personal data protection. In particular, questions arise regarding the scope of employees’ reasonable expectation of privacy in the workplace and the conditions under which the employer’s processing of their data may be considered lawful. Within this framework, legitimate concerns emerge that directly affect employees, such as whether the employer may monitor the use of a work computer, gain access to files stored on it, or even review their electronic communications in the course of performing their duties.
The Protection of Employees’ Privacy within the Employment Context
At the outset, it should be emphasized that the collection and processing of employees’ personal data, even where intended to ensure the proper functioning of the undertaking, to fulfil the purposes of the employment contract and the employment relationship itself, and to serve the employer’s freedom to conduct a business, cannot take place without oversight and limitations. Employees retain a legitimate and reasonable expectation of protection of their private life even while present in the workplace. This expectation cannot be diminished or restricted merely because the employee uses equipment, communication devices, or other professional facilities and infrastructure belonging to the employer.
In contemporary working conditions, the boundaries between professional and private life are becoming increasingly blurred. In particular, the possibility of remote work and the use of devices or technologies owned by the employee further erode these boundaries, while simultaneously increasing the flow of employees’ personal data to which employers or even third parties may have access. The European Court of Human Rights (ECtHR), in its interpretation of Article 8(1) of the European Convention on Human Rights (ECHR), has consistently held that the concept of “private life” should not be interpreted narrowly or restrictively[1]. More specifically, it has recognized that there is no justification for excluding professional activities from the scope of protection afforded to private life. Furthermore, in its relevant case law, the Court has interpreted the notion of “home” under Article 8 ECHR as also encompassing professional premises—that is, the workplace itself—irrespective of the ownership status of the premises or the legality of the activities carried out therein.
Accordingly, employees do not forfeit their right to the protection of their private life and personal data upon “entering” the workplace. On the contrary, they retain a reasonable expectation of a certain degree of privacy within the working environment, particularly given that a significant part of their social and interpersonal relationships develops there. It is important to underline, however, that although employees enjoy a legitimate and reasonable expectation of privacy even within the framework of their professional activities, this right must be balanced, on the one hand, against the employer’s right to protect the undertaking from actions by employees that may jeopardize its reputation and overall proper functioning and, on the other hand, against the purpose and function of the employment contract, which must be duly performed.
Monitoring and Access to the Computer Used by the Employee in the Performance of Their Duties
The use of computers and internet access constitutes a fundamental and integral element of contemporary working life. However, it is frequently observed that employees also make use of internet access during working hours for personal purposes, such as browsing websites unrelated to their professional duties or storing personal files on the hard drive of a work-issued computer. The monitoring and recording of employees’ activity, as well as the employer’s access to personal data stored and maintained on the computer used by the
employee for the performance of their professional duties, constitute processing within the meaning of the GDPR (Regulation (EU) 2016/679)[2].
Accordingly, for such processing of employees’ data by the employer to be considered lawful, the requirements set out in Articles 5 and 6 GDPR must be satisfied. In particular, monitoring and access to personal files stored on the devices used by employees in the provision of their services—activities which qualify as processing of personal data—must be based on one of the legal bases exhaustively provided for in Article 6 GDPR, and must cumulatively comply with the general principles governing lawful processing under Article 5 GDPR (namely, the principles of lawfulness, fairness and transparency; purpose limitation; data minimization; proportionality and necessity; accuracy; and integrity and confidentiality).
Furthermore, pursuant to Article 13 GDPR, the employer, acting as data controller, is under obligation to provide employees with clear and comprehensive prior information regarding the introduction and use of monitoring and surveillance measures relating to their activities[3]. According to the Article 29 Working Party[4], employees must be informed in advance about the monitoring of their work-related activities, the purposes of the processing of their data, and any other information necessary to ensure fair and lawful processing. In addition, employees should not only receive prior notification but should also be provided with an intelligible, clear and precise statement of the relevant monitoring policies and procedures.
It should also be noted that where monitoring of employees’ electronic activity is carried out through the use of artificial intelligence, for example, through AI applications intended to assess employee performance, the lawfulness of such processing must also be examined in light of the provisions of Regulation (EU) 2024/1689 (the AI Act).
You can read the article on Lexology here: Employee Digital Monitoring and Data Privacy: Where Does the Employer’s Authority End? – Lexology
The full article is also available here: ROKAS_Lexology_ Employee Digital Monitoring and Data Privacy